Hello Mark,
That it so far has been rather impractical to develop a SELinux policy
module outside of the 'upstream policy tree' is a different issue.
(Given that there were the NSA developed policy, the 'new' reference
policy with strict and targeted modes and being under heavy development)
The NSA policy has been discontinued, and the reference policy
'targeted' and 'strict' modes have been merged into just one policy
(with a module to use 'targeted' mode).
How about you just follow the same road that Exim took?
Develop the module, send it to SELinux policy upstream, who happily
included it in policy upstream.
When the refpolicy package is updated again (Manoj seems to be MIA?),
then we can close this bug.
> There has certainly been no visible work on encouraging anyone to
> provide SELinux policies outside the SELinux packages and I can't seem
> to see any obvious support for doing so.
Which is irrelevant, actually, that this isn't obviously done...
There is a package, selinux-policy-refpolicy-dev, for developing custom
policy modules.
> Given the factors above I am more inclined to close the bug or tag it
> wontfix. I'm really not comfortable adding SELinux support in a package
> while this appears to be against the desires of the people doing SELinux
> work.
It's not at all against the desires of the SELinux people that you
develop a policy for leafnode. It currently makes more sense to add the
policy module to the refpolicy package *when it's done*, but that's
independent of the actual policy development.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
A polar bear is a rectangular bear after a coordinate transform. //\
Gute Freunde sind wie Sterne in der Nacht. Auch wenn sie manchmal V_/_
hinter den Wolken sind, weißt Du, sie sind für dich da.
